From a5e756c280f105f8221062d0ec7c288c33d2c8c3 Mon Sep 17 00:00:00 2001 From: Julian Rother Date: Wed, 29 Jan 2025 03:02:15 +0100 Subject: [PATCH] Initial commit --- defaults/main.yml | 65 +++++++ handlers/main.yml | 11 ++ tasks/main.yml | 138 +++++++++++++++ templates/dovecot/dovecot-dict-sql.conf.j2 | 14 ++ templates/dovecot/dovecot-sql.conf.j2 | 5 + templates/dovecot/dovecot.conf.j2 | 159 ++++++++++++++++++ templates/postfix/header_checks.j2 | 5 + templates/postfix/main.cf.j2 | 100 +++++++++++ templates/postfix/master.cf.j2 | 125 ++++++++++++++ templates/postfix/pgsql/relay_domains.cf.j2 | 4 + .../postfix/pgsql/virtual_alias_maps.cf.j2 | 4 + .../postfix/pgsql/virtual_domains_maps.cf.j2 | 4 + .../postfix/pgsql/virtual_mailbox_maps.cf.j2 | 4 + .../postfix/pgsql/virtual_sender_maps.cf.j2 | 4 + templates/postfixadmin/config.local.php.j2 | 30 ++++ templates/postfixadmin/php-fpm-pool.conf.j2 | 5 + templates/postsrsd/default.j2 | 62 +++++++ .../prometheus-postfix-exporter/default.j2 | 15 ++ 18 files changed, 754 insertions(+) create mode 100644 defaults/main.yml create mode 100644 handlers/main.yml create mode 100644 tasks/main.yml create mode 100644 templates/dovecot/dovecot-dict-sql.conf.j2 create mode 100644 templates/dovecot/dovecot-sql.conf.j2 create mode 100644 templates/dovecot/dovecot.conf.j2 create mode 100644 templates/postfix/header_checks.j2 create mode 100644 templates/postfix/main.cf.j2 create mode 100644 templates/postfix/master.cf.j2 create mode 100644 templates/postfix/pgsql/relay_domains.cf.j2 create mode 100644 templates/postfix/pgsql/virtual_alias_maps.cf.j2 create mode 100644 templates/postfix/pgsql/virtual_domains_maps.cf.j2 create mode 100644 templates/postfix/pgsql/virtual_mailbox_maps.cf.j2 create mode 100644 templates/postfix/pgsql/virtual_sender_maps.cf.j2 create mode 100644 templates/postfixadmin/config.local.php.j2 create mode 100644 templates/postfixadmin/php-fpm-pool.conf.j2 create mode 100644 templates/postsrsd/default.j2 create mode 100644 templates/prometheus-postfix-exporter/default.j2 diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..c27c008 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,65 @@ +mailserver: + tls_cert: "/etc/ssl/{{ inventory_hostname }}.chain.crt" + tls_key: "/etc/ssl/private/{{ inventory_hostname }}.key" + domains: [] # All mail domains + postfix: + metrics_address: "127.0.0.1:9154" + milters: [] + header_checks: + remove_client_ip_from_received: + regex: '^Received:.*(by.*with [A-Z0-9]*SMTPSA.*)$' + action: 'REPLACE Received: $1' + drop_originating_ip: + regex: '^X-Originating-IP:' + action: IGNORE + drop_mailer: + regex: '^X-Mailer:' + action: IGNORE + drop_user_agent: + regex: '^User-Agent:' + action: IGNORE + postfixadmin: + php_fpm_config: + user: postfixadmin + group: postfixadmin + listen: /run/php/php{{ php_version }}-fpm-postfixadmin.sock + listen.owner: www-data + listen.group: www-data + listen.mode: '0660' + 'php_admin_value[syslog.ident]': postfixadmin + pm: dynamic + pm.max_children: 50 + pm.start_servers: 2 + pm.min_spare_servers: 2 + pm.max_spare_servers: 3 + 'env[HOSTNAME]': '$HOSTNAME' + 'env[PATH]': /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + 'env[TMP]': /tmp + 'env[TMPDIR]': /tmp + 'env[TEMP]': /tmp + config: + configured: true + database_type: pgsql + database_host: null + database_user: postfixadmin + database_password: '' + database_name: postfixadmin + encrypt: 'dovecot:ARGON2I' + default_aliases: [] # For now + domain_path: 'YES' + domain_in_mailbox: 'NO' + aliases: 0 + mailboxes: 0 + maxquota: 0 + domain_quota_default: 0 + quota: 'YES' + domain_quota: 'NO' + sendmail: 'NO' + fetchmail: 'NO' + show_status: 'NO' + forgotten_user_password_reset: false + forgotten_admin_password_reset: false + password_expiration: 'NO' + generate_password: 'YES' + used_quotas: 'YES' + show_footer_text: 'NO' diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..90ae1ae --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,11 @@ +- name: restart dovecot + service: name=dovecot state=restarted + +- name: restart postfix + service: name=postfix state=restarted + +- name: restart prometheus-postfix-exporter + service: name=prometheus-postfix-exporter state=restarted + +- name: restart postsrsd + service: name=postsrsd state=restarted diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..2c4fb3b --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,138 @@ +- name: install packages + ansible.builtin.apt: + pkg: + - postfixadmin + - postfix + - postfix-pgsql + - prometheus-postfix-exporter + - postsrsd + - dovecot-common + - dovecot-imapd + - dovecot-managesieved + - dovecot-pgsql + +- name: add vmail group + ansible.builtin.group: + name: vmail + system: true + +- name: add vmail user + ansible.builtin.user: + name: vmail + group: vmail + home: /nonexistent + create_home: false + system: true + +- name: create /var/mail/vmail + ansible.builtin.file: + path: /var/mail/vmail + state: directory + owner: vmail + group: vmail + mode: '0750' + +# postfixadmin +- name: create postfixadmin group + ansible.builtin.group: + name: postfixadmin + system: true + +- name: create postfixadmin user + ansible.builtin.user: + name: postfixadmin + group: postfixadmin + groups: www-data + home: /nonexistent + create_home: false + system: true + +- name: copy postfixadmin config + ansible.builtin.template: + src: postfixadmin/config.local.php.j2 + dest: /etc/postfixadmin/config.local.php + owner: root + group: postfixadmin + mode: "0640" + +- name: fix access rights to postfixadmin template cache + ansible.builtin.file: + state: directory + owner: postfixadmin + group: postfixadmin + mode: 0700 + path: /var/cache/postfixadmin/templates_c + +# php_version and "restart php-fpm" handler from nginx role +- name: create postfixadmin php pool + ansible.builtin.template: + src: postfixadmin/php-fpm-pool.conf.j2 + dest: "/etc/php/{{ php_version }}/fpm/pool.d/postfixadmin.conf" + owner: root + group: root + mode: 0644 + notify: + - restart php-fpm + +# dovecot +- name: copy dovecot config + ansible.builtin.template: + src: "dovecot/{{ item }}.j2" + dest: "/etc/dovecot/{{ item }}" + owner: root + group: root + mode: 0644 + loop: + - dovecot.conf + - dovecot-sql.conf + - dovecot-dict-sql.conf + notify: restart dovecot + +# prometheus-postfix-exporter +- name: configure prometheus postfix exporter + ansible.builtin.template: + src: prometheus-postfix-exporter/default.j2 + dest: /etc/default/prometheus-postfix-exporter + owner: root + group: root + mode: 0644 + notify: + - restart prometheus-postfix-exporter + +# postsrsd +- name: configure postsrsd + ansible.builtin.template: + src: postsrsd/default.j2 + dest: /etc/default/postsrsd + owner: root + group: root + mode: 0644 + notify: + - restart postsrsd + +# postfix +- name: create postfix psql config dir + ansible.builtin.file: + state: directory + owner: root + group: root + mode: 0755 + path: "/etc/postfix/pgsql" + +- name: copy postfix config + ansible.builtin.template: + src: "postfix/{{ item }}.j2" + dest: "/etc/postfix/{{ item }}" + owner: root + group: root + mode: 0644 + loop: + - main.cf + - master.cf + - header_checks + - pgsql/relay_domains.cf + - pgsql/virtual_alias_maps.cf + - pgsql/virtual_domains_maps.cf + - pgsql/virtual_mailbox_maps.cf + - pgsql/virtual_sender_maps.cf + notify: restart postfix diff --git a/templates/dovecot/dovecot-dict-sql.conf.j2 b/templates/dovecot/dovecot-dict-sql.conf.j2 new file mode 100644 index 0000000..858cf18 --- /dev/null +++ b/templates/dovecot/dovecot-dict-sql.conf.j2 @@ -0,0 +1,14 @@ +connect = dbname=postfixadmin + +map { + pattern = priv/quota/storage + table = quota2 + username_field = username + value_field = bytes +} +map { + pattern = priv/quota/messages + table = quota2 + username_field = username + value_field = messages +} diff --git a/templates/dovecot/dovecot-sql.conf.j2 b/templates/dovecot/dovecot-sql.conf.j2 new file mode 100644 index 0000000..11a06bb --- /dev/null +++ b/templates/dovecot/dovecot-sql.conf.j2 @@ -0,0 +1,5 @@ +driver = pgsql +connect = dbname=postfixadmin + +password_query = SELECT username AS user,password FROM mailbox WHERE username = '%u' AND active='1' +user_query = SELECT '/var/mail/vmail/' || maildir AS home, '*:bytes=' || quota AS quota_rule FROM mailbox WHERE username = '%u' AND active = '1' diff --git a/templates/dovecot/dovecot.conf.j2 b/templates/dovecot/dovecot.conf.j2 new file mode 100644 index 0000000..53fdbf0 --- /dev/null +++ b/templates/dovecot/dovecot.conf.j2 @@ -0,0 +1,159 @@ +listen = *, :: +protocols = imap sieve +mail_plugins = $mail_plugins quota + +ssl = required +ssl_cert = <{{ mailserver.tls_cert }} +ssl_key = <{{ mailserver.tls_key }} +ssl_dh = , quota_rule=*:bytes= + +} +passdb { + driver = sql + args = /etc/dovecot/dovecot-sql.conf + # Returns: user=, password= +} + +# Mailboxes +mail_location = maildir:~/Maildir # Expanded to maildir:/var/mail/vmail//Maildir +mail_uid = 1000 +mail_gid = 1000 +first_valid_uid = 1000 +last_valid_uid = 1000 +first_valid_gid = 1000 +last_valid_gid = 1000 +mailbox_list_index = yes + +namespace inbox { + separator = '/' + inbox = yes + mailbox Drafts { + special_use = \Drafts + auto = subscribe + } + mailbox Junk { + special_use = \Junk + auto = subscribe + } + mailbox Trash { + special_use = \Trash + auto = subscribe + } + mailbox Sent { + special_use = \Sent + auto = subscribe + } +} + +# IMAP +protocol imap { + # TODO: imap_quota? + mail_plugins = $mail_plugins +} + +service imap-login { + inet_listener imap { + port = 0 + } + inet_listener imaps { + port = 993 + ssl = yes + } +} + +# Sieve +plugin { + sieve = file:~/sieve;active=~/.dovecot.sieve +} + +service managesieve-login { + inet_listener sieve { + port = 4190 + } +} + +# Misc +service auth { + unix_listener auth-userdb { + mode = 0777 + } + + # Postfix uses this socket for submission auth + unix_listener /var/spool/postfix/private/auth { + mode = 0666 + user = postfix + group = postfix + } +} + +service quota-status { + executable = quota-status -p postfix + # Postfix uses this socket to check quotas on delivery (as check_policy_service) + unix_listener /var/spool/postfix/private/policy-quota { + mode = 0666 + user = postfix + group = postfix + } + client_limit = 1 +} + +service stats { + unix_listener stats-reader { + user = vmail + group = vmail + mode = 0660 + } + + unix_listener stats-writer { + user = vmail + group = vmail + # 0666 instead of 0660, so postfixadmin can call doveadm pw without errors + mode = 0666 + } +} + +# Postfix delivers incoming mails via lda (transport "dovecot") +quota_full_tempfail = yes +lda_mailbox_autocreate = yes +protocol lda { + mail_plugins = $mail_plugins sieve +} + +# Debugging +auth_verbose = yes +auth_debug = yes +mail_debug = yes + +# Quota +plugin { + # Use postfixadmins quota2 table, so used_quota works + quota = dict:User quota::proxy::pgsql + # Default quota rule, overwritten by userdb + quota_rule = *:storage=0 # 0=unlimited + quota_grace = 10%% + quota_status_success = DUNNO + quota_status_nouser = DUNNO + quota_status_overquota = "552 5.2.2 Mailbox is full" +} + +service dict { + unix_listener dict { + mode = 0600 + user = vmail + } +} +dict { + # proxy::pgsql + pgsql = pgsql:/etc/dovecot/dovecot-dict-sql.conf +} diff --git a/templates/postfix/header_checks.j2 b/templates/postfix/header_checks.j2 new file mode 100644 index 0000000..fa75f78 --- /dev/null +++ b/templates/postfix/header_checks.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} + +{% for item in mailserver.postfix.header_checks.values() if not item.disabled|d(false) %} +/{{ item.regex }}/ {{ item.action }} +{% endfor %} diff --git a/templates/postfix/main.cf.j2 b/templates/postfix/main.cf.j2 new file mode 100644 index 0000000..d05092d --- /dev/null +++ b/templates/postfix/main.cf.j2 @@ -0,0 +1,100 @@ +compatibility_level = 3.7 + +# Sane defaults +biff = no +# TODO: v why? v +append_dot_mydomain = no +local_header_rewrite_clients = permit_inet_interfaces permit_sasl_authenticated +# TODO: v why? v +readme_directory = no +smtpd_helo_required = yes +strict_rfc821_envelopes = yes +disable_vrfy_command = yes +mailbox_size_limit = 0 +recipient_delimiter = + +inet_protocols = all +message_size_limit = 102400000 +# Disable all error reports to postmaster@, because they sometimes contain +# passwords or other confidential information +notify_classes = + +smtpd_helo_restrictions = permit_mynetworks, + permit_sasl_authenticated, + reject_invalid_helo_hostname, + reject_non_fqdn_helo_hostname + +smtpd_sender_restrictions = reject_non_fqdn_sender, + reject_unknown_sender_domain, + permit_mynetworks, + permit_sasl_authenticated + +smtpd_recipient_restrictions = permit_mynetworks, + permit_sasl_authenticated, + reject_unlisted_recipient, + reject_unknown_recipient_domain, + reject_unauth_destination, + reject_non_fqdn_recipient, + # Quota check via Dovecot + check_policy_service unix:private/policy-quota, + permit + +mua_helo_restrictions = permit_mynetworks, + permit_sasl_authenticated, + reject_invalid_helo_hostname, + reject_non_fqdn_helo_hostname + +mua_sender_restrictions = reject_non_fqdn_sender, + reject_unknown_sender_domain, + # Sender verification is disabled! + warn_if_reject, + reject_authenticated_sender_login_mismatch, + permit_mynetworks, + permit_sasl_authenticated + +mua_client_restrictions = permit_sasl_authenticated, + reject + +# Host settings +myhostname = {{ inventory_hostname }} +mydomain = {{ ansible_domain }} +myorigin = $mydomain +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 +mydestination = {{ inventory_hostname_short }} {{ inventory_hostname }} localhost + +# TLS parameters +smtpd_tls_cert_file = {{ mailserver.tls_cert }} +smtpd_tls_key_file = {{ mailserver.tls_key }} +smtpd_use_tls = yes +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +smtpd_tls_security_level = may +smtpd_tls_auth_only = yes +smtp_tls_security_level = may + +# Postfixadmin and dovecot integration +relay_domains = $mydestination, pgsql:/etc/postfix/pgsql/relay_domains.cf +virtual_alias_maps = pgsql:/etc/postfix/pgsql/virtual_alias_maps.cf +virtual_mailbox_domains = pgsql:/etc/postfix/pgsql/virtual_domains_maps.cf +virtual_mailbox_maps = pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf +virtual_transport = dovecot +dovecot_destination_recipient_limit = 1 +local_transport = dovecot +local_recipient_maps = $virtual_mailbox_maps +smtpd_sender_login_maps = pgsql:/etc/postfix/pgsql/virtual_sender_maps.cf +smtpd_sasl_type = dovecot +smtpd_sasl_path = private/auth + +# PostSRS integration +sender_canonical_maps = tcp:localhost:10001 +sender_canonical_classes = envelope_sender +recipient_canonical_maps = tcp:127.0.0.1:10002 + +# Milters +milter_protocol = 6 +milter_default_action = accept +smtpd_milters = {{ ' '.join(mailserver.postfix.milters) }} +non_smtpd_milters = {{ ' '.join(mailserver.postfix.milters) }} + +# Header checks +mime_header_checks = regexp:/etc/postfix/header_checks +header_checks = regexp:/etc/postfix/header_checks diff --git a/templates/postfix/master.cf.j2 b/templates/postfix/master.cf.j2 new file mode 100644 index 0000000..e4e34e6 --- /dev/null +++ b/templates/postfix/master.cf.j2 @@ -0,0 +1,125 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - y - - smtpd +#smtp inet n - y - 1 postscreen +#smtpd pass - - y - - smtpd +#dnsblog unix - - y - 0 dnsblog +#tlsproxy unix - - y - 0 tlsproxy +submission inet n - y - - smtpd + -o smtpd_relay_restrictions=permit_sasl_authenticated,reject + -o smtpd_tls_security_level=encrypt + -o syslog_name=postfix/submission + -o smtpd_sasl_auth_enable=yes + -o smtpd_reject_unlisted_recipient=no + -o smtpd_client_restrictions=$mua_client_restrictions + -o smtpd_helo_restrictions=$mua_helo_restrictions + -o smtpd_sender_restrictions=$mua_sender_restrictions + -o smtpd_recipient_restrictions= + -o milter_macro_daemon_name=ORIGINATING +#submissions inet n - y - - smtpd +# -o syslog_name=postfix/submissions +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +relay unix - - y - - smtp +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +#uucp unix - n n - - pipe +# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +#ifmail unix - n n - - pipe +# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +#bsmtp unix - n n - - pipe +# flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +#scalemail-backend unix - n n - 2 pipe +# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} +dovecot unix - n n - - pipe + flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -a ${original_recipient} -d ${user}@${domain} diff --git a/templates/postfix/pgsql/relay_domains.cf.j2 b/templates/postfix/pgsql/relay_domains.cf.j2 new file mode 100644 index 0000000..cc79f7d --- /dev/null +++ b/templates/postfix/pgsql/relay_domains.cf.j2 @@ -0,0 +1,4 @@ +dbname = postfixadmin +user = postfix +hosts = unix:/var/run/postgresql +query = SELECT domain FROM domain WHERE domain='%s' and backupmx = true diff --git a/templates/postfix/pgsql/virtual_alias_maps.cf.j2 b/templates/postfix/pgsql/virtual_alias_maps.cf.j2 new file mode 100644 index 0000000..7e91a49 --- /dev/null +++ b/templates/postfix/pgsql/virtual_alias_maps.cf.j2 @@ -0,0 +1,4 @@ +dbname = postfixadmin +user = postfix +hosts = unix:/var/run/postgresql +query = SELECT goto FROM alias WHERE address='%s' AND active = true diff --git a/templates/postfix/pgsql/virtual_domains_maps.cf.j2 b/templates/postfix/pgsql/virtual_domains_maps.cf.j2 new file mode 100644 index 0000000..f5151e9 --- /dev/null +++ b/templates/postfix/pgsql/virtual_domains_maps.cf.j2 @@ -0,0 +1,4 @@ +dbname = postfixadmin +user = postfix +hosts = unix:/var/run/postgresql +query = SELECT domain FROM domain WHERE domain='%s' and backupmx = false and active = true diff --git a/templates/postfix/pgsql/virtual_mailbox_maps.cf.j2 b/templates/postfix/pgsql/virtual_mailbox_maps.cf.j2 new file mode 100644 index 0000000..27c63e7 --- /dev/null +++ b/templates/postfix/pgsql/virtual_mailbox_maps.cf.j2 @@ -0,0 +1,4 @@ +dbname = postfixadmin +user = postfix +hosts = unix:/var/run/postgresql +query = SELECT maildir FROM mailbox WHERE username='%s' AND active = true diff --git a/templates/postfix/pgsql/virtual_sender_maps.cf.j2 b/templates/postfix/pgsql/virtual_sender_maps.cf.j2 new file mode 100644 index 0000000..fc23682 --- /dev/null +++ b/templates/postfix/pgsql/virtual_sender_maps.cf.j2 @@ -0,0 +1,4 @@ +dbname = postfixadmin +user = postfix +hosts = unix:/var/run/postgresql +query = SELECT username FROM mailbox WHERE username='%s' AND active = true diff --git a/templates/postfixadmin/config.local.php.j2 b/templates/postfixadmin/config.local.php.j2 new file mode 100644 index 0000000..14fc225 --- /dev/null +++ b/templates/postfixadmin/config.local.php.j2 @@ -0,0 +1,30 @@ + {{ php_obj(value)|indent }}, +{% endfor %} +] +{%- elif obj is iterable -%} +[ +{% for item in obj %} +{{ php_obj(item)|indent(first=true) }}, +{% endfor %} +] +{% endif %} +{% endmacro %} +{% for key, value in mailserver.postfixadmin.config.items() %} +$CONF['{{ key|replace('\\', '\\\\')|replace('\'', '\\\'') }}'] = {{ php_obj(value)|indent }}; +{% endfor %} diff --git a/templates/postfixadmin/php-fpm-pool.conf.j2 b/templates/postfixadmin/php-fpm-pool.conf.j2 new file mode 100644 index 0000000..62058e3 --- /dev/null +++ b/templates/postfixadmin/php-fpm-pool.conf.j2 @@ -0,0 +1,5 @@ +[postfixadmin] + +{% for key, value in mailserver.postfixadmin.php_fpm_config.items() %} +{{ key }} = {{ value }} +{% endfor %} diff --git a/templates/postsrsd/default.j2 b/templates/postsrsd/default.j2 new file mode 100644 index 0000000..19b81e2 --- /dev/null +++ b/templates/postsrsd/default.j2 @@ -0,0 +1,62 @@ +# Default settings for PostSRSd + +# Local domain name. +# Addresses are rewritten to originate from this domain. The default value +# is taken from `postconf -h mydomain` and probably okay. +# +#SRS_DOMAIN= + +# Exclude additional domains. +# You may list domains which shall not be subjected to address rewriting. +# If a domain name starts with a dot, it matches all subdomains, but not +# the domain itself. Separate multiple domains by space or comma. +# +SRS_EXCLUDE_DOMAINS={{ mailserver.domains|join(',') }} + +# First separator character after SRS0 or SRS1. +# Can be one of: -+= +SRS_SEPARATOR== + +# Secret key to sign rewritten addresses. +# When postsrsd is installed for the first time, a random secret is generated +# and stored in /etc/postsrsd.secret. For most installations, that's just fine. +# +SRS_SECRET=/etc/postsrsd.secret + +# Length of hash to be used in rewritten addresses +SRS_HASHLENGTH=4 + +# Minimum length of hash to accept when validating return addresses. +# When increasing SRS_HASHLENGTH, set this to its previous value and +# wait for the duration of SRS return address validity (21 days) before +# increading this value as well. +SRS_HASHMIN=4 + +# Local ports for TCP list. +# These ports are used to bind the TCP list for postfix. If you change +# these, you have to modify the postfix settings accordingly. The ports +# are bound to the loopback interface, and should never be exposed on +# the internet. +# +SRS_FORWARD_PORT=10001 +SRS_REVERSE_PORT=10002 + +# Drop root privileges and run as another user after initialization. +# This is highly recommended as postsrsd handles untrusted input. +# +RUN_AS=postsrsd + +# Bind to this address +# +SRS_LISTEN_ADDR=127.0.0.1 + +# Jail daemon in chroot environment +# +CHROOT=/var/lib/postsrsd + +# Additional Options +# PostSRSd understands a few rarely needed extra options: +# -A always rewrite email addresses, even from SRS_DOMAIN +# -t set connection timeout to seconds (default: 1800) +# +#SRS_EXTRA_OPTIONS=-A diff --git a/templates/prometheus-postfix-exporter/default.j2 b/templates/prometheus-postfix-exporter/default.j2 new file mode 100644 index 0000000..5d96e15 --- /dev/null +++ b/templates/prometheus-postfix-exporter/default.j2 @@ -0,0 +1,15 @@ +# Private log file from Postfix to read and truncate. Configured in +# /etc/rsyslog.d/prometheus-postfix-exporter.conf +POSTFIXLOGFILE=/var/lib/prometheus/postfix-exporter/mail.log + +# Extra arguments for the daemon. +ARGS='--web.listen-address {{ mailserver.postfix.metrics_address }}' + +# Prometheus-postfix-exporter supports the following options: +# --postfix.showq_path string +# Path at which Postfix places its showq socket. +# (default "/var/spool/postfix/public/showq") +# --web.listen-address string +# Address to listen on for web interface and telemetry. (default ":9154") +# --web.telemetry-path string +# Path under which to expose metrics. (default "/metrics")